July 31, 2014

Hi Jennifer,
I am interested in implementing an internal email marketing (ie. Monthly newsletters, re-activations, etc) program with my patients, such as Constant Contact.  How can we use a system like this and comply with HIPAA laws protecting patient’s PHI?  Such as sharing email addresses and names with a third-party provider.  Thanks!
Dr. S


Great question!  Email marketing absolutely poses a risk of violating HIPAA requirements.  Generally, you would be entering a patient's email address, possibly their name and some other identifying markers.  Remember, any individual identifiable information related to the patient is protected health information under HIPAA and required to be protected by you. So, you can see how simply an email address would qualify, even if you are not entering any additional information.  And, the fact that a patient is a patient is protected.  One way to engage in email marketing is to engage with a company that is actually HIPAA compliant, which would require such company to enter into a Business Associate Agreement with you, and operate in accordance with that document's terms, of which you would want them to indemnify you for any breach on their part.  Next, the company would need to be operating with encryption levels and security appropriate for HIPAA protection.  Two companies that came up claiming they comply (I HAVE NOT CONFIRMED THIS IS TRUE) are Clinical Contact  and  LuxSci Spotlight Mailer.   

Another way to comply with HIPAA would potentially be to send to a large universe of email addresses that are not necessarily your patients, and you could show upon review are not your patients and having no health information transmitted - truly for marketing purposes only.  This should protect you because, for instance, you are authorized to buy resident addresses from the post office (which they sell) and send mass mailings. 
 BE ADVISED to adhere to all Anti-Spam requirements, opt-out, etc.  

A final thought on email marketing - be very careful what you send out!  Do not run afoul of any state or federal laws rules or regulations that may prohibit promotional kickbacks, free-bes, claims of granduer or professional superiority or the like. 

Not sure how you are sending or what you are sending is compliant?  Run it by 
me before you click send!

I-STOP Implementation - Common Q&As

Looking for HIPAA and compliance forms?  
Click here to visit 
our website.

Have a question or comment for Jennifer?
Contact Jennifer at Jennifer@Kirschenbaumesq.com or  at (516) 747-6700 x. 302.